github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-19 18:17:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

documentation update v1.4.4

Browse Source
This commit is contained in:
Jeremy Long
2016-11-05 09:41:16 -04:00
parent e1a447f722
commit a1b5e3f7b0
1217 changed files with 79708 additions and 51391 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42408
general/SampleReport.html
View File

File diff suppressed because one or more lines are too long

BIN
general/dependency-check.pdf
View File

Binary file not shown.

BIN
general/dependency-check.pptx
View File

Binary file not shown.

307
general/hints.html Normal file
View File

@@ -0,0 +1,307 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-11-05
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20161105" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; Resolving False Negatives</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.5.min.js"></script>
<style type="text/css">
#bannerLeft { margin-top:-20px;margin-bottom:5px !important }
</style>
</head>
<body class="topBarDisabled">
<a href="https://github.com/jeremylong/DependencyCheck">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
alt="Fork me on GitHub">
</a>
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<div id="bannerLeft">
<img src="../images/dc.svg" alt="OWASP dependency-check"/>
</div>
</div>
<div class="pull-right"> </div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class="">
<a href="../#" title="">
</a>
<span class="divider">/</span>
</li>
<li class="active ">Resolving False Negatives</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-11-05</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.4
</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
<span class="icon-chevron-down"></span>
General</a>
<ul class="nav nav-list">
<li>
<a href="../general/internals.html" title="How it Works">
<span class="none"></span>
How it Works</a>
</li>
<li>
<a href="../general/thereport.html" title="Reading the Report">
<span class="none"></span>
Reading the Report</a>
</li>
<li>
<a href="../general/suppression.html" title="False Positives">
<span class="none"></span>
False Positives</a>
</li>
<li class="active">
<a href="#"><span class="none"></span>False Negatives</a>
</li>
<li>
<a href="../data/index.html" title="Internet Access Required">
<span class="icon-chevron-right"></span>
Internet Access Required</a>
</li>
<li>
<a href="../related.html" title="Related Work">
<span class="none"></span>
Related Work</a>
</li>
<li>
<a href="../general/dependency-check.pptx" title="Project Presentation (pptx)">
<span class="none"></span>
Project Presentation (pptx)</a>
</li>
<li>
<a href="../general/dependency-check.pdf" title="Project Presentation (pdf)">
<span class="none"></span>
Project Presentation (pdf)</a>
</li>
<li>
<a href="../general/SampleReport.html" title="Sample Report">
<span class="none"></span>
Sample Report</a>
</li>
<li>
<a href="../general/scan_iso.html" title="How to Scan an ISO Image">
<span class="none"></span>
How to Scan an ISO Image</a>
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
<span class="icon-chevron-right"></span>
File Type Analyzers</a>
</li>
<li>
<a href="../modules.html" title="Modules">
<span class="icon-chevron-right"></span>
Modules</a>
</li>
<li class="nav-header">Project Documentation</li>
<li>
<a href="../project-info.html" title="Project Information">
<span class="icon-chevron-right"></span>
Project Information</a>
</li>
<li>
<a href="../project-reports.html" title="Project Reports">
<span class="icon-chevron-right"></span>
Project Reports</a>
</li>
</ul>
<hr />
<div id="poweredBy">
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<div class="g-plusone" data-href="https://github.com/jeremylong/DependencyCheck.git" data-size="tall" ></div>
<div class="clear"></div>
<div class="clear"></div>
<div id="twitter">
<a href="https://twitter.com/ctxt" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow ctxt</a>
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
</div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
<img class="builtBy" alt="built with maven" src="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png" />
</a>
<a href="http://www.jetbrains.com/idea/" title="IntelliJ" class="builtBy">
<img class="builtBy" alt="developed using" src="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png" width="170px" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<h1>Resolving False Negatives</h1>
<p>Due to how dependency-check identifies libraries, false negatives may occur (a CPE was NOT identified for a library). Identifying these false negatives can be accomplished using the HTML report. In the report, click on the &#x201c;Display: Showing Vulnerable Dependencies (click to show all)&#x201d; link. You can then browse the dependencies and review the CPEs that are there for accuracy. You can also review the dependencies where no CPE match was made. Using the CPE dictionary search manually to verify that there is a CPE to match is a good verification that a false negative has been found. If you identify a dependency that is missing a CPE you can add evidence to help identify the correct CPE.</p>
<p>A possible reason for false negatives is re-naming of either the vendor or library name over time. Another case is when an artifact has missing info (manifest with no vendor).</p>
<p>Dependency Check has a built in <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck-base-hint.xml">hints</a> file that is used in every check to help correct well known false negatives.</p>
<p>A sample hints file that add a product name and possible vendors for Spring framework dependencies would look like:</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;hints xmlns=&quot;https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd&quot;&gt;
&lt;hint&gt;
&lt;given&gt;
&lt;evidence type=&quot;product&quot; source=&quot;Manifest&quot; name=&quot;Implementation-Title&quot; value=&quot;Spring Framework&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;product&quot; source=&quot;Manifest&quot; name=&quot;Implementation-Title&quot; value=&quot;org.springframework.core&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;product&quot; source=&quot;Manifest&quot; name=&quot;Implementation-Title&quot; value=&quot;spring-core&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;/given&gt;
&lt;add&gt;
&lt;evidence type=&quot;product&quot; source=&quot;hint analyzer&quot; name=&quot;product&quot; value=&quot;springsource_spring_framework&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;SpringSource&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;vmware&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;pivotal&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;/add&gt;
&lt;/hint&gt;
&lt;/hints&gt;
</pre></div></div>
<p>The above XML file will add the 4 evidence entries to any dependency that matches any one of the 3 givens.</p>
<p>The following shows some other ways to add evidence</p>
<div class="source">
<div class="source"><pre class="prettyprint linenums">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;hints xmlns=&quot;https://jeremylong.github.io/DependencyCheck/dependency-hint.1.1.xsd&quot;&gt;
&lt;hint&gt;
&lt;given&gt;
&lt;evidence type=&quot;product&quot; source=&quot;jar&quot; name=&quot;package name&quot; value=&quot;springframework&quot; confidence=&quot;LOW&quot;/&gt;
&lt;fileName contains=&quot;spring&quot;/&gt;
&lt;/given&gt;
&lt;add&gt;
&lt;evidence type=&quot;product&quot; source=&quot;hint analyzer&quot; name=&quot;product&quot; value=&quot;springsource_spring_framework&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;SpringSource&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;vmware&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;pivotal&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;/add&gt;
&lt;/hint&gt;
&lt;hint&gt;
&lt;given&gt;
&lt;fileName contains=&quot;my-thelib-.*\.jar&quot; regex=&quot;true&quot; caseSensitive=&quot;true&quot;/&gt;
&lt;/given&gt;
&lt;add&gt;
&lt;evidence type=&quot;product&quot; source=&quot;hint analyzer&quot; name=&quot;product&quot; value=&quot;thelib&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;evidence type=&quot;vendor&quot; source=&quot;hint analyzer&quot; name=&quot;vendor&quot; value=&quot;thevendor&quot; confidence=&quot;HIGH&quot;/&gt;
&lt;/add&gt;
&lt;/hint&gt;
&lt;/hints&gt;
</pre></div></div>
<p>The full schema for hints files can be found here: <a class="externalLink" href="https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-hint.1.1.xsd" title="Hint Schema">dependency-hint.xsd</a></p>
<p>Please see the appropriate configuration option in each interfaces configuration guide:</p>
<ul>
<li><a href="../dependency-check-cli/arguments.html">Command Line Tool</a></li>
<li><a href="../dependency-check-maven/configuration.html">Maven Plugin</a></li>
<li><a href="../dependency-check-ant/configuration.html">Ant Task</a></li>
<li><a href="../dependency-check-jenkins/index.html">Jenkins Plugin</a></li>
</ul>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p >Copyright &copy; 2012&#x2013;2016
<a href="http://www.owasp.org">OWASP</a>.
All rights reserved.
</p>
</div>
</div>
</footer>
</body>
</html>

19
general/internals.html
View File

@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-09-06
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-11-05
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20160906" />
<meta name="Date-Revision-yyyymmdd" content="20161105" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; How does dependency-check work?</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
@@ -59,9 +59,9 @@
<li class="active ">How does dependency-check work?</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-09-06</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-11-05</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.3
Version: 1.4.4
</li>
</ul>
@@ -74,7 +74,7 @@
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
@@ -100,6 +100,13 @@
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../general/hints.html" title="False Negatives">
<span class="none"></span>
False Negatives</a>
</li>
<li>
@@ -144,7 +151,7 @@
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">

19
general/scan_iso.html
View File

@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-09-06
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-11-05
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20160906" />
<meta name="Date-Revision-yyyymmdd" content="20161105" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; How to Mount ISO Files for Scanning</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
@@ -59,9 +59,9 @@
<li class="active ">How to Mount ISO Files for Scanning</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-09-06</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-11-05</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.3
Version: 1.4.4
</li>
</ul>
@@ -74,7 +74,7 @@
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
@@ -102,6 +102,13 @@
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../general/hints.html" title="False Negatives">
<span class="none"></span>
False Negatives</a>
</li>
<li>
@@ -144,7 +151,7 @@
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">

21
general/suppression.html
View File

@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-09-06
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-11-05
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20160906" />
<meta name="Date-Revision-yyyymmdd" content="20161105" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; Suppressing False Positives</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
@@ -59,9 +59,9 @@
<li class="active ">Suppressing False Positives</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-09-06</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-11-05</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.3
Version: 1.4.4
</li>
</ul>
@@ -74,7 +74,7 @@
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
@@ -100,6 +100,13 @@
<a href="#"><span class="none"></span>False Positives</a>
</li>
<li>
<a href="../general/hints.html" title="False Negatives">
<span class="none"></span>
False Negatives</a>
</li>
<li>
@@ -144,7 +151,7 @@
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">
@@ -212,7 +219,7 @@
<div id="bodyColumn" class="span10" >
<h1>Suppressing False Positives</h1>
<p>Due to how dependency-check identifies libraries false positives may occur (a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the &#x201c;Complete XML Doc&#x201d; button on the top of the dialogue box to add the necessary schema elements.</p>
<p>Due to <a href="internals.html">how dependency-check identifies libraries</a> false positives may occur (i.e. a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the &#x201c;Complete XML Doc&#x201d; button on the top of the dialogue box to add the necessary schema elements.</p>
<p>A sample suppression file would look like:</p>
<div class="source">

19
general/thereport.html
View File

@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-09-06
| Generated by Apache Maven Doxia Site Renderer 1.7.1 at 2016-11-05
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20160906" />
<meta name="Date-Revision-yyyymmdd" content="20161105" />
<meta http-equiv="Content-Language" content="en" />
<title>dependency-check &#x2013; How To Read The Reports</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.5.min.css" />
@@ -59,9 +59,9 @@
<li class="active ">How To Read The Reports</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-09-06</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2016-11-05</li>
<li id="projectVersion" class="pull-right">
Version: 1.4.3
Version: 1.4.4
</li>
</ul>
@@ -74,7 +74,7 @@
<ul class="nav nav-list">
<li class="nav-header">OWASP dependency-check</li>
<li>
<a href="../index.html" title="General">
@@ -100,6 +100,13 @@
<span class="none"></span>
False Positives</a>
</li>
<li>
<a href="../general/hints.html" title="False Negatives">
<span class="none"></span>
False Negatives</a>
</li>
<li>
@@ -144,7 +151,7 @@
</li>
</ul>
</li>
<li>
<a href="../analyzers/index.html" title="File Type Analyzers">